Certification Report - Worksheet

The worksheet displays the individual line items that are assigned to the identities within identity-type certifications. Identity-type certifications are Manager, Application Owner, Advanced, Identity, and Role Membership certifications. By default these items are grouped by the identity with which they are associated.

Only the top-level roles are displayed. For example, if a role contains required and permitted roles, only the top-level role is displayed and the required and permitted roles are certified as part of that role. Both assigned and detected roles are displayed and denoted by icon. Click on the role name to display the Certification Decision tab and detailed information.

If the certification was scheduled with the Access Governance Suite capabilities and scope included, these appear as entitlements on the Access Governance Suite application as Capabilities and Authorized Scopes attributes. Revoking these entitlements has auto-remediation enabled by default. This means that when the revocation is processed (either when the certification is signed or immediately, depending on the certification configuration) the capabilities and authorized scopes are removed from the identity.

Use the options at the bottom right of the table to export this list to a Microsoft Excel Worksheet or open the Identity List view, or change the way the entitlement descriptions display. The Microsoft Excel Worksheet is not connected to Access Governance Suite and actions taken there are not reflected in the product.

Do one of the following:

• Click on an item to display the Certification Decisions tab and view detailed information about the identity with which the item is associated.
• Take action on an item using the icons in the decision column. The decision icons displayed are dependent on configuration settings and options selected when the certification request was scheduled.
• Right-click on an item and select View History or Add Comments to view the certification history of the item or add comments as needed. History and comments are displayed in the History dialog.
• Right-click on any item that is displaying the attention required, or star, icon to handle a revocation challenge or review the decision made by a certifier to whom this item was delegated.
• Select multiple items using the selection boxes in the left-most column and select the appropriate action from the Select Bulk Action drop-down list at the bottom of the page. Use the multi-select box at the top of the column to select multiple items at one time. A user cannot certify themselves unless self certification is enabled during configuration.
  The selection boxes are only visible if bulk actions are enabled for your deployment of Access Governance Suite.
  The selection boxes are only visible if bulk actions are enabled for your deployment of Access Governance Suite.

The default worksheet contains the following information:

Note: The certification pages are configurable for each implementation of Access Governance Suite. Your screen might not display the same information as is listed in this table.

Legend

The legend defines the choices available from the decisions column. Mouse over an icon in the legend to display a pop-up description.

Selection box

Use the selection boxes to select an item, or multiple items, and select the appropriate action from the Select Bulk Action drop-down list at the bottom of the page. A user cannot certify themselves unless self certification is enabled during configuration.

Use the multi-select box at the top of the column to select multiple items at one time.

Note: This column is not displayed if the certification has already been signed-off on, or if you are not the certification owner.

Certification Decision

Note: The decision buttons displayed are dependent on system settings configured during deployment of Access Governance Suite and decisions made when the certification was scheduled.

To edit or change a decision after a save has been performed, click on a different decision icon and resave the certification.

To add comments or view the history associated with an item, right-click and select an option from the drop-down menu. When comments are added to a certification item balloon icons are displayed in this column.

• Role or Entitlement Decision:
  • Approve - approve this item. If you approve a role then you are approving items contained within.
  • Approve Account - approve the entire account associated with this item, including all entitlements, on the associated application.
  • Revoke- launch a revocation request for this item or modify its associated permissions. Identity IQ must be configured to enable editing of permissions from this page. If a role being revoked contains items that are reused by the user, those items are not revoked.
  • Revoke Account - launches a revocation request for the entire account associated with this item, including all entitlements, on the associated application.
  • Allow Exception - approve this item for a specific period of time.
  • Delegate - delegate the certification of this item to someone else with certification authority.
• Policy Violation Decisions:
  • Allow - allow the violation for a specific period of time.
  • Revoke - revoke one or more of the conflicting roles or permissions.
  • Delegate - delegate the certification of the policy violations, for this identity, to someone else with certification authority.

Identity

The distinguishing identifier for this user as derived from the identity authoritative source, for example an employee number.

First Name

The first name of the identity associated with the line item.

Last Name

The last name of the identity associated with the line item.

Description

A brief description of the item.

When available, click on the information icon to toggle between the entitlement name and the entitlement description.

Application

The application on which the entitlement resides. This field is blank for roles and policy violations.

Instance

The instance of the application on which the account resides.

Account ID

The login ID used by this identity on the application associated with the entitlement specified.

Due Date

This column is only displayed for continuous certifications. The current state of the item in the continuous certification life cycle (certified, certification required, or overdue). The date displayed is the date at which the item will move to the next state.

Status

The status of the certification for the specific item. Possible status are:

• Open - action is required on this item before this certification is considered complete.
• Complete - certification of this item is complete.
• Challenge - a revocation notice has been sent to a user informing them that they are about the have some access revoked and enabling them to accept or challenge that revocation.
• Challenged - a user has challenged the revocation of some access point and that challenge is awaiting your response.
• Delegated - certification for this item has been delegated to another approver. That approver has not yet taken action on the delegated certification request.
• Waiting Review - action was taken on a delegated certification request and that action is now awaiting your review.
• Returned - the certification request for this item was delegated and returned with no action being taken.

Composite Score

The composite risk score for the associated item.

Changes Detected

• Yes - changes were made to this item since the last certification was completed.
• No - changes were not made to this item since the last certification was completed.
• New User - this is the first time this item has been included in a certification of this type.

Select Bulk Action

A list of the actions you can perform on multiple items at one time. The choices are dependent on system settings specified during product configuration. The bulk actions correspond to actions taken on individual items. Bulk actions overwrite your ability to add missing required roles to the roles being certified.